Can you keep a secret? - Speaker Deck

Slide 1

Slide 1 text

Can you keep a secret? Using R to encrypt and share secrets Andrie de Vries Senior PM, Data science lead, Microsoft @RevoAndrie UseR!2017, Brussels

Slide 2

Slide 2 text

Andrie de Vries 2 CRAN packages: • ggdendro • sss • miniCRAN • checkpoint • secret StackOverflow: andrie Twitter: @RevoAndrie github.com/andrie

Slide 3

Slide 3 text

What secrets do you keep?

Slide 4

Slide 4 text

• Database connection • Cloud service authentication • API keys • ??? Secrets 4

Slide 5

Slide 5 text

How can your secrets leak?

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

68ef5aa9196142799d10bedd43f8254c 49291aae0d8f4904a4af53a8d581c907 Secrets in plain text in script !!!

Slide 8

Slide 8 text

• Sharing secrets in plain text • Files / email • Inadvertent leaks from R • .History • .Rdata • Other inadvertent leaks • Private github projects that become public (Inadvertently) leaking secrets

Slide 9

Slide 9 text

How can you prevent leaks?

Slide 10

Slide 10 text

• Plain text file outside your project • Won’t go into version control • But not secure • Encrypted file outside your project • Difficult to share • Encrypted file inside your project Options for preventing leaks But how do you share the secret with your collaborators?

Slide 11

Slide 11 text

Public key cryptography

Slide 12

Slide 12 text

Alice generates a key pair Source: https://en.wikipedia.org/wiki/Public-key_cryptography Command line (ssh-keygen) or GUI tools, e.g. PuttyGen

Slide 13

Slide 13 text

Bob wants to share a secret Source: https://en.wikipedia.org/wiki/Public-key_cryptography Bob encrypts using Alice’s public and his own private key

Slide 14

Slide 14 text

Alice can read the secret Source: https://en.wikipedia.org/wiki/Public-key_cryptography Alice decrypts secret using her private key

Slide 15

Slide 15 text

Public key cryptography Source: https://en.wikipedia.org/wiki/Public-key_cryptography The combination of private / public keys give the same secret

Slide 16

Slide 16 text

• Every user has a private / public key pair • Share public keys in the open • Encrypt secrets with: • Your private key • The counterparty’s public key • Decrypt using your private key Summary

Slide 17

Slide 17 text

But how do you do this with R?

Slide 18

Slide 18 text

• On CRAN now • Published 2017-06-17 • https://cran.r-project.org/package=secret • Maintainer: Gábor Csárdi • Functionality • Create a vault • Add users • Encrypt and decrypt secrets • Share secrets Use the `secret` package Gábor Csárdi

Slide 19

Slide 19 text

• Encrypt a secret to use on different machines • Encrypt SQL server credentials • Develop locally or in Data Science Virtual Machine, then deploy in Azure • Encrypt a secret to share with team • Use github or Visual Studio Team Services for version control • Encrypt secret to use with continuous integration • Use github for version control • Automatically start Travis job on push Use cases

Slide 20

Slide 20 text

Demo

Slide 21

Slide 21 text

• The demo is based on the package vignette • https://cran.r-project.org/web/packages/secret/vignettes/secrets.html Demo

Slide 22

Slide 22 text

Conclusion

Slide 23

Slide 23 text

If you use windows, you most likely created your keys using PuttyGen. • Note that the key created by PuttyGen is not in OpenSSH format. • Convert the format with PuttyGen – use /Conversions/Export OpenSSH key Note that the folder ~/.ssh in Windows usually expands to C:/Users/YOURNAME/Documents/.ssh. You can find the full path by using: normalizePath("~/.ssh", mustWork = FALSE) ## [1] "C:/Users/adevries/Documents/.ssh" Note for Windows users

Slide 24

Slide 24 text

• CRAN • https://cran.r-project.org/package=secret • Github • https://github.com/gaborcsardi/secret • Vignette • https://cran.r-project.org/web/packages/secret/vignettes/secrets.html Resources